[WEB SECURITY] Fwd: Invitation to www.hackiis6.com

Jeremiah Grossman jeremiah at whitehatsec.com
Thu May 5 12:05:05 EDT 2005


I thought some of you might be interested in this. If you are, content  
is currently running.

Begin forwarded message:

> From: "Roger A. Grimes" <roger at banneretcs.com>
> Date: Wed May 4, 2005  4:41:15  PM US/Pacific
> To: <honeypots at securityfocus.com>
> Subject: Invitation to www.hackiis6.com
>
> It's not the traditional honeypot...but it is. <grin>
>
> Welcome to the HackIIS6.com Contest!
>
> Starting May 2nd and going until June 8th, the server located at
> http://www.hackiis6.com will welcome hackers to attack it. If you can
> deface the web site or capture the "hidden" document, you win an X-box!
> Read contest rules for what does and doesn't constitute a successful
> hack. We've tried to be as realistic as possible in what constitutes a
> successful hack, and in mimicking a basic HTML and ASP.NET web site.
>
> For the most part, almost anything reasonable constitutes a successful
> attack except for a massive network denial of service attack against  
> the
> IIS 6 or its host provider.  Not that doing a successful DoS attack
> wouldn't be a problem in the real world...it would be...but we aren't
> testing that.  We want to test the security of Windows Server 2003,  
> IIS,
> and other Microsoft applications. So, please, respect this one rule of
> the contest so everyone can have a chance at claiming the prize.
>
> Questions and Prizes
> If you have questions, send an email to admin at hackiis6.com.  If you  
> want
> to claim a prize, send your email, with the details listed in the
> official rules to prizes at hackiis6.com.
>
> Contest Summary
> We are going to start the contest for the first two weeks with the very
> basic, static HTML web site that you are now reading. Two weeks later,
> we'll add an ASP.NET web site and a back-end SQL server to add more
> flavor and give more area to attack. We started with the basic site to
> prove that Microsoft's Internet Information Service (IIS) and Windows
> Server 2003 is secure by itself.  This is to satisfy the purists who
> thinking hacking ASP.NET is hacking an application and not the server.
> So, if you've got skillz in one area versus the other, you'll have a
> chance to try both attack types.
>
> Once the contest stops on June 8th, we will announce the winner(s) at
> the upcoming June Microsoft Tech.Ed conference.
>
> The Setup
> This server is running Windows Server 2003, Service Pack1, with all
> current publicly-released patches and hotfixes installed (we ran  
> Windows
> Update and MBSA just like a real admin would do). We installed IIS 6.0.
> and then we followed the basic recommendations
> (http://www.microsoft.com/technet/security/prodtech/IIS.mspx) suggested
> by Microsoft. I added a few tweaks here and there, to put my personal
> mark on the site, but nothing extraordinary.
>
> There is no non-Microsoft software involved with the exception of the
> host's router/firewall, which would be normal in most environments.  We
> want to make this a test of Microsoft software.
>
> Why a hacking contest?
> To have fun!  Sure there will be critics who say sponsoring a hacking
> contest proves nothing.  If the IIS server remains unbroken, it still
> doesn't mean that IIS is really "secure."  True, and if I wasn't the
> contest's team leader, I'd probably be the first one to yell that out.
> Hacking contests rarely prove something is secure, although it only
> takes a single successful hack to prove something is unsecure.
>
> So why do it?  There are very few places on the Internet where hackers,
> good and bad, can hack legally. Windows IT Pro thought the contest  
> would
> be a fun way to interact with the hacker community (they realize most
> hackers have good intentions) and bring some attention to Windows IT  
> Pro
> (of course, they'll disavow all responsibility and blame me solely if
> the server gets hacked) <grin>.
>
> So, welcome to the contest! Hack away.  If the IIS server goes unhacked
> during the extended time period, it might not mean that IIS is
> "unhackable", but if it does survive the contest it might convince a  
> few
> people that it is a relatively secure web server platform. After all,
> over 20% of the Internet relies on it, including some of the largest  
> web
> sites in the world.
>
> Happy Hacking,
>
> Roger A. Grimes
> Contributing editor, Windows IT Pro Magazine
>
> *********************************************************************** 
> *
> ***
> *Roger A. Grimes, Banneret Computer Security, Computer Security
> Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4),
> CEH, CHFI
> *email: roger at banneretcs.com
> *cell: 757-615-3355
> *Author of Malicious Mobile Code:  Virus Protection for Windows by
> O'Reilly *http://www.oreilly.com/catalog/malmobcode
> *Author of Honeypots for Windows (Apress)
> *http://www.apress.com/book/bookDisplay.html?bID=281
> *********************************************************************** 
> *
> ****
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list